FreeIPA wiki migration to OpenShift v3
by Martin Kosek
Hello all,
I would like to start a discussion regarding the migration of current
FreeIPA services that are running on OpenShift v2 that was obsoleted [1]
and will go soon EOL (the ultimate cut-off date is Dec 31, 2017).
After a short discussion I had with several FreeIPA developers, the
preference remained with keeping this application on OpenShift (v3
generation), as it will let us easily maintain it on a PaaS, without
having to care about maintaining our own infra. It will be also easy to
delegate maintenance powers to more people.
Given above, I have now set up a Pro account with OpenShift v3 and
migrated the base FreeIPA wiki as an application there, with today
snapshot of data and images. When the POC deployment is ready and
approved on this list, I can switch the current wiki to readonly and
request change of "www.freeipa.org" DNS records to get it to production.
The POC wiki is running in [2], with OpenShift application sources being
stored in a public git repo [3]. Eventually, the OpenShift could be
configured to rebuild the wiki after a git push to [3], to enable easy
changes to wiki to it's maintainers. Let me know if there are any
concerns about having the wiki sources public. The secrets and keys are
of course not in the repo, but configured via OpenShift environment
variable.
The POC now runs pretty well, the only issue I found so far is linking
the wiki user authentication with Fedora auth. The problem is that the
current OpenID plugin [4] is deprecated and does not run with modern PHP
version and I could not get the new OpenID Connect one [5] to work
reliably with our wiki and Fedora OIDC service. I either received
authentication errors or later problems with linking the authenticated
user to current account. So for now I gave up and enabled simple
password auth by password again.
Feedback welcome!
Thanks,
Martin
[1] https://blog.openshift.com/migrate-to-v3-v2-eol/
[2] https://freeipa-org-wiki-freeipa.b9ad.pro-us-east-1.openshiftapps.com
[3] https://github.com/freeipa/freeipa-wiki
[4] https://www.mediawiki.org/wiki/Extension:OpenID
[5] https://www.mediawiki.org/wiki/Extension:OpenID_Connect
--
Martin Kosek <mkosek(a)redhat.com>
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.
6 years, 5 months
[freeipa PR#1079][opened] ipa-server-upgrade: fix the logic for tracking certs
by flo-renaud
URL: https://github.com/freeipa/freeipa/pull/1079
Author: flo-renaud
Title: #1079: ipa-server-upgrade: fix the logic for tracking certs
Action: opened
PR body:
"""
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.
The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.
https://pagure.io/freeipa/issue/7151
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1079/head:pr1079
git checkout pr1079
6 years, 6 months